The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Scada software is typically used in power plants as well as in oil and gas refining, telecommunications, transportation, and water and waste control.

If the mobile app vulnerabilities identified are exploited, an attacker could disrupt an industrial process or compromise industrial network infrastructure, according to the report.

The report on Scada and mobile security in the internet of things (IoT) era is based on research by security services firm IOActive and zero day attack-focused security startup Embedi.

Exploiting the vulnerabilities could also cause a Scada operator to unintentionally perform a harmful action on the system, according to the report’s authors, Alexander Bolshev, security consultant for IOActive, and Ivan Yushkevich, information security auditor for Embedi.

The release of the research coincides with the publication of a report by international affairs think-tank Chatham House, which warns that the risk of cyber attacks on nuclear weapons’ control systems is “relatively high”, with recent cases of cyber attacks indicating that nuclear weapons systems could also be subject to interference, hacking and sabotage through the use of malware.

Jason Larsen, principal security consultant at IOActive, said the research reinforces the fact that mobile apps are increasingly riddled with vulnerabilities that could have dire consequences for Scada systems that operate industrial control systems (ICS).

“The key takeaway for developers is that security must be baked in from the start,” he said. “It saves time, money, and ultimately helps to protect the brand.”

The report updates original research conducted by Bolshev and Yushkevich in 2015 that found a total of 50 issues in 20 mobile apps that were analysed. Just two years later, they found an average increase of 1.6 vulnerabilities per app.

The research focused on testing software and hardware, using back-end fuzzing and reverse engineering to uncover a range of security vulnerabilities.

“The flaws we found were shocking, and are evidence that mobile applications are being developed and used without any thought to security,” said Bolshev. “It is important to note that attackers don’t need to have physical access to the smartphone to leverage the vulnerabilities, and they don’t need to directly target industrial control applications, either.

“If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for industrial control system software and hardware. What this results in is attackers using mobile apps to attack other apps.”

Yushkevich said developers need to keep in mind that applications are gateways to mission-critical industrial control systems. “It is important that application developers embrace secure coding best practices to protect their applications and systems from dangerous and costly attacks,” he said.

IOActive and Embedi informed the affected suppliers of the findings through responsible disclosure, and are coordinating with a number of them to ensure fixes are in place.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy